RE: Advanced Network Infrastructure Assessment Questions....

["Erin Carroll" <amoeba () amoebazone com>]

Excellent reply Pete. As a moderator it makes my day when detailed responses
like this are submitted. :)

In my experience the most time consuming task is the audit and enumeration
rules/ACL's etc of network devices. There are several tools out there in the
Risk Assessment/Audit market which can help to expedite this portion (Cisco,
SkyBox, Red Seal, etc). I've some experience on these tools and Red Seal is
the only one (AFAIK) that offers a engagement or consulting-based solution
which sounds like it would fit your needs. Grab the configs of the
firewalls, routers, switches etc and it will build you a nice map and risk
analysis which should help grab the low hanging fruit. It always nice to
have a quick and easy way to show a client that if they change foo at X how
it affects bar at Y and tools like Red Seal's allow a simple visual
representation which easily translates to non-techs.

As Pete mentions though, that part is only the beginning and the OSSTMM
controls are a great guideline to follow to sniff out the non-obvious risks.

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Pete Herzog
> Sent: Sunday, July 01, 2007 9:35 AM
> To: Joseph McCray
> Cc: pen-test () securityfocus com
> Subject: Re: Advanced Network Infrastructure Assessment Questions....
>
> Hi Joe,
>
> I know you're a smart security guy so I won't insult you with 
> basic stuff you probably know but rather approach this as 3 
> possible tiers.
>
> Depending on your assessment (what you're promising or 
> selling) you may want to just make sure that the 
> routers/firewalls are working as designed for egress/ingress 
> filtering, depth and level of that filtering, packet 
> manipulation type from that filtering, packet contents added 
> or removed with the filtering, holding states properly if so 
> configured, controls and handling for accepted protocols 
> (here the TCP/UDP/ICMP trinity is merly the start), and 
> controlled access granted appropriately and to the right 
> vector.  And that's the unit itself.
>
> Then there's the environment around the unit, its processes 
> and controls where they interact with other channels and 
> vectors like people, telecommunications, wireless, etc. and 
> from the inside, outside, or direct access.
>
> The third possibility is to test the systems themselves for 
> vulnerabilities where the standard fare applies of validation 
> of interactivity whether direct (interactive with the system) 
> or indirect (system writes a log which is exploited). But 
> that may not be something where you will find the average 
> corporate customer buying. It all depends what you're doing 
> or want to do.
>
> Of course the first 2 tiers can be repackaged into a variety 
> of partials audits for various compliance objectives.  Same 
> chips, different colored bag, change flavoring powder to taste.
>
> One way we have been approaching the means of increasing the 
> depth of security tests is to use the 10 controls of the 
> OSSTMM as a starting point. 
>   It's an easy way of trying to find how and where that 
> control is implemented in the security solution and what 
> weaknesses it has.  That list is available under the security 
> metrics (RAVs) portion of OSSTMM 2.2 at www.osstmm.org.  Here 
> it is reprinted:
>
> Controls
> Controls are the 10 loss protection categories in two 
> categories, Class A 
> (interactive) and Class B (process).   The Class A categories are 
> authentication, indemnification, subjugation, continuity, and 
> resilience. 
> The Class B categories are non-repudiation, confidentiality, 
> privacy, integrity, and alarm.
>
> Class A
>    Authentication is the control of interaction requiring 
> having both credentials and authorization where 
> identification is required for obtaining both.
>    Indemnification is the control over the value of assets by 
> law and/or insurance to recoup the real and current value of the loss.
>    Subjugation is the locally sourced control over the 
> protection and restrictions of interactions by the asset responsible.
>    Continuity is the control over processes to maintain 
> access to assets in the events of corruption or failure.
>    Resilience is the control over security mechanisms to 
> provide protection to assets in the event of corruption or failure.
>
> Class B
>    Non-repudiation prevents the source from denying its role 
> in any interactivity regardless whether or not access was obtained.
>    Confidentiality is the control for assuring an asset 
> displayed or exchanged between parties can be known outside 
> of those parties.
>    Privacy is the control for the method of how an asset 
> displayed or exchanged between parties can be known outside 
> of those parties.
>    Integrity is the control of methods and assets from 
> undisclosed changes.
>    Alarm is the control of notification that OPSEC or any 
> controls have failed, been compromised, or circumvented.
>
> Sincerely,
> -pete.
>
>
> Joseph McCray wrote:
> > I'm starting to do more and more network infrastructure assessment 
> > work (specifically auditing 
> Routers/Switches/Firewalls/VPNs/etc), and 
> > I'm really looking to expand the scope of this service and make my 
> > audit as thorough as possible.
> >
> > Basically, the stuff that I'm hitting the hardest right now 
> is SNMP, 
> > TFTP, NTP, VPN psk stuff, firewall leak testing, and of course weak 
> > passwords/clear text protocols for network management.
> >
> > My most commonly used tools right now are:
> >
> > * nmap (obviously)
> > * nessus
> > * onesixtyone (and other snmp tools)
> > * cisco-torch
> > * cge.pl
> > * ftester
> > * ike-scan (and other scripts)
> >
> > Tools of interest for me are scapy and yersinia. Just 
> really haven't 
> > sat down and learned them, but read about and have played 
> with them a 
> > little (never on an audit though).
> >
> > I'm looking for other things that I may be 
> forgetting/neglecting. I'm 
> > running into a lot more non-cisco gear so that is new for 
> me (Extreme, 
> > Foundry, Juniper, etc). So I'm looking for good general information 
> > that will help me improve my audits in that area.
> >
> > I'm specifically looking for more links on auditing NAC 
> solutions (a 
> > methodology that I could follow or at least point me in the right 
> > direction). More stuff like this:
> https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/Prese
> > ntation/bh-eu-07-dror-ppt-apr19.pdf
> https://www.blackhat.com/presentations/bh-europe-07/Dror-Thumann/White
> > paper/bh-eu-07-dror-WP.pdf ...and Ofir Arkin's research on 
> the subject 
> >
> http://media.blackhat.com/presentations/bh-dc-07/Arkin/Presentation/bh
> > -dc-07-Arkin-ppt-up.pdf
> >
> > I'm also looking for people that are auditing things like 802.1x, 
> > and/or doing 802.1x implementations in a hybrid network 
> infrastructure (i.e.
> > Cisco, Extreme, Foundry, blah blah blah).
> >
> >
> > Let me know guys...I could really use the help.
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Swap Out your SPI or Watchfire app sec solution for Cenzic's 
> robust, accurate risk assessment and management solution FREE 
> - limited Time Offer
>
> http://www.cenzic.com/wf-spi
> --------------------------------------------------------------
> ----------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer

http://www.cenzic.com/wf-spi
------------------------------------------------------------------------